I recently stumbled over an infected setup application from dubious sources in the internet on a victim’s machine that contained a little obfuscated trojan which was interestingly written in .NET language, so it was pretty easy to reverse engineer.
The trojan contantly downloads itself from http://ijwhite.com/white/League.exe so you can download your own sample from there.

The trojan itself is crypted with AES encryption with a static key, which is very easy to unpack with a debugger like dnSpy. The code’s function names are obfuscated, so it doesn’t make much sense to read, but you just need to set a breakpoint before the unpacked .NET executable gets invoked and dump the decrypted memory buffer (in variable array) to disk, which can in turn be analyzed.

Now you get an executable file named stub which in turn can be analyzed with dnSpy.
The executable is “obfuscated” with ConfuserEx v1.0.0.0.
This results in code that is difficult an annoying to read, like:

Judging from that, the trojan has multiple settings for injection,propagation, download, etc. Everything seems to be configurable via the resources-Section of the executable.
By looking at this specific trojan, it seems to be pretty dump and just downloads itself all over again and again and again. I suspect that the author may swap out the executable, possiby targeting different victim machines, by providing a copy of the trojan with a different configuration on a case-by-case basis, but this is just speculative.
Here is the resource section of the above mentioned trojan:

Last week, I received a call for help from someone who inherited an old Highscreen 486-DX2/50 notebook from her father that contained some important documents that she wanted to recover.
Now as the Notebook hadn’t been in operation for approx. 10 years, CMOS battery was empty and the Notebook refused to boot DOS, as the CHS-Values for the Harddisk in BIOS got lost.
Now as there was no manual available anymore, I just unscrewed the 2 screws in the back of the Notebook, lifted the Keyboard and had a look at the harddisk.
So I discovered that it contained a Connor Peripherals CP30174E harddisk with approx. 160MB in size.
Now I thought that this is going to be easy, found a manual on the Internet that showed me the correct CHS values:

903

Cylinders

8

Heads

46

Sectors

0

Precomp

903

Landing zone

So I entered the information in BIOS, attempted to boot and…. Nothing, the Boot loader code in the MBR still showed me that the OS cannot be found.
Therefore I booted up with a floppy disk and was able to access the internal drive. But of course, I wanted to find out the right settings in the BIOS to let the Notebook boot again.
So I started up Norton Disk Editor:
Object -> Drive -> [x] Physical -> Hard drive 0
ALT+A (Object -> Partition table), F6 (View / As partition table)
There I was able to see the following table:

Starting Location

Ending Location

Relative

Number of

System

Boot

Side

Cylinder

Sector

Side

Cylinder

Sector

Sectors

Sectors

BIGDOS

Yes

1

0

1

5

1004

55

55

331595

Conclusion #1: Cylinder count must be >= 1004
Conclusion #2: Sectors may be 55
Conclusion #3: It has at least 5 Heads

So we know that we have 6 Heads and 55 Sectors and >= 1004 Cylinders
Now judging from the CHS values of the Harddisk vendor, we know that the drive has a capacity of 162.257 MB
Therefore we can approximate the value of the Cylinders to closely match that value and find out that it has to be approx. 1007 Cylinders.
Therefore, I ended up with these values:

Recently I got a synology DS216+II NAS where I had to install rsnapshot for daily backups.
This works quite nicely using entware-ng, but of course, backup status should also be monitored, i.e. by remove check done by nagios.
Unfortunately there is no nrpe-Package available, so you have to compile it on your own.
When fetching Headers with wget include.tar.gz, ensure to specify the correct architecture for your NAS in download URL.

I recently wanted to equip a Server that was managed with the Froxlor (formally known as SysCP) Management system with SOGo Groupware features.
Linking the e-mail accounts with SOGo isn’t very hard provided that you let Froxlor save the e-mail passwords in plain text.
In case you don’t want to do this and enhance security (which I would strongly encourage you to do), please also make the modifications to Froxlor shown in this blog additionally to the instructions provided here.
The installation on Debian is already known from my former SOGo installation tutorial.

4) Create a sogo.conf configuration file

Now in this tutorial for some variation, I assume that you were using Courier IMAPd and migrated from it, even though Dovecot is current standard for Forxlor.
It is very important that you don’t forget to place the

/***DOMAINS***/

marker in the file, as the config file will be used as a template for the automatic configuration by Froxlor:

Fill SOGoMaiDomain with the DNS of your local mailserver and define the superuser-account, which you should create in froxlor as mail-address to a certain domain (pick one of your Froxlor-Mailaccounts).

Now that you have set up a proper SOGo configuration, copy the file as the new template file to use for Froxlor:

cp /etc/sogo/sogo.conf /etc/sogo/sogo.conf.tpl

From now on, only edit sogo.conf.tpl if you want to change sogo config, as sogo.conf will get overwritten after Froxlor change

4b) Only needed when migrating from Courier to Dovecot

If you had Courier IMAPd installed on your site, like I unfortunately had, it is recommednded to migrate to Dovecot in order to be able to use the Exchange Activesync components.
In order to do this, more or less follow the Dovecot-Installation instructions in Froxlor control panel under configuration (for both SMTP and IMAP). Then don’t forget to convert your mailboxes with the courier-dovecot-migrate.pl scriptin the subdirectories of /var/customers/mails . As you are coming from Courier, don’t forget to set the nasty INBOX. prefix that Courier IMAPd users were used to in order to do a smooth transition:

6) Enjoy

Now everytime you create a domain or make other changes, a view shoud be created in the sogo-database that points to all usernames of the e-mail accounts from a certain domain and sogo.conf is being rewritten with multidomain support for all e-mail domains so that it is in sync with SOGo.
I hope my little script helps you a bit with integrating SOGo with Froxlor.

This means that the login processes died for some reason. After trying last good configuration, repair mode etc. and nothing seemed to help, I started up with the Windows 7 BootCD and checked the registry by running regedit from the command prompt and loading the SYSTEM, SOFTWARE etc. hives from Windows\system32\config directory into regedit.
I noticed that the SOFTWARE hive was nearly empty except for some Microsoft keys.
Another blogger had exactly the same problem:

So I first tried to run Microsoft chkreg utility over a copy of the SOFTWARE hive, but it was unable to find corruption and fix it. An expanded chkreg.exe utility that can be used on the Windows command shell directly can be found here.

As this didn’t succeed, I tried to copy back the SOFTWARE file from Windows\system32\config\RegBack.
I wasn’t expecting it to work, as I thought that the Last known good configuration feature from the start menu would do the same, but it seems that this isn’t the case, so copying it back helped and the computer was ablt to boot up again.

Next step was to find out what has happened. I compared the broken and the good SOFTWARE file with each other and I noticed that they were nearly identical except for one page where its contents were empty in the broken registry file and were filled in the working backup file. I checked the Harddisks’ SMART values and found out that the HDD had 25 Reallocated Sectors. I suspect that there was a Relocation process going on on last shutdown that resulted in a blank sector to be written right in the middle of the Reigstry file which caused the corruption. Time to immediately change the HDD before it completely breaks down.

Recently a server got infected with the Mumblehard.C trojan due to an unmaintained WordPress installation.
The trojan seems to have been installed to /var/tmp directory on the server and run via cron every 10 minutes to check for new comamdns of its Command&Control servers. The trojan is mainly used for spamming activity.

The executable itself is a simple C program, that unpacks an XORed perl-script that then gets executed in memory (overwriting its process name with “qmail”).
It seems that the Command&Control servers of the trojan are still active and haven’t changed in a few months, as there is an analysis of the malware sample available from December 2016 which still contacted the same IP-adresses:

It is interesting that these hosts haven’t been shutdown since then by the ISPs.
If you are interested, here is the momblehard.C PERL script as extracted from the malicious executable. You can modify the system() command and play botnet client yourself to monitor it 😉

Motivation

Since the release of Microsoft Outlook 2016, it is possible to connect clients via the ActiveSync protocol, mostly known for its use on mobile devices to synchronize Calender, contacts and e-mail. So the complicated MAPI protocol (i.e. offered by OpenChange project) isn’t necessarily needed anymore.
So my goal was to set up a Linux server that offers ActiveSync protocol interfaces as well as the “classic” IMAP, Caldav and Carddav interfaces for integration with e-mail clients such as Thunderbird. For this SOGo seems to be a very good solution, because it offers you to use the standard Unix daemons in your desired configuration and is just a component that you can easily plug in to offer access to all components with above mentioned protocols which makes the server very easy to maintain without the need to use new, unfamiliar interfaces to manage it like partly with other groupware servers.

So I describe some simple setup for SOGo 2 (because I like its webinterface) on a Debian Jessie Server for handling mail on one domain in the combination Dovecot IMAP server and Postfix MTA. It is a mix of stuff taken from several tutorials available on the Internet.

3) Install MySQL and create user table

Unforutnately, SOGo doesn’t support PAM authentication for whatever reason. The most common solution in the tutorials is to use a LDAP server, which is of course also possible, but for me, it is harder to maintain due to my lack of LDAP-Skills. Therefore I decided to maintain a MySQL user database which will also be used by Dovecot for authentication and which I can add new shell users to with a simple shell script presented lateron. I prefer to have my mailbox users in /etc/passwd with a disabled login shell so that they automatically have a systemwide account, get their e-mails stored and delivered to their home-directories. That’s why I chose this method:

7) Install Let’s encrypt SSL-certificates for your site

As self-signed certificates are always needed to be added to a trust list on the client side which makes setup for the user harder and we now have the possibility to get free SSL-certificates by the Let’s encrypt project, it is a good idea to use them instead. The downside of this may be the expiration time (3 months), but as renewal process can be automated with a cron-job, it’s not such a big issue.

8) Install DKIM

If you want to increase your e-mail reputation, it is a good idea to set up SPF and DKIM records. For DKIM, you can use opendkim daemon. This step is optional and requires full access to your DNS server.
This was shameslessly copied from here

Then add the record from /etc/opendkim/keys/domain.txt to your DNS server.

9) Deploy some antivirus and antispam scripts for the MTA

It is a good idea to have some virus filtering and antispam on a Mailserver obiously. Now there are a lot of filtering solutions out there which can accomplish this, but I prefer not to rely on another piece of big software, so I just use a simple shellscript to do some simple mail filtering according to my needs. I’m using Clamav as an antivirus-filter, spamassassin as a spam-filter and some custom .zip file parsing using munpack which certainly can be improved.

If you read the ACtiveSync tuning link, you know that you need to maybe increase the number of active instances for handling requests according to the number of your users by setting PREFORK= value in /etc/default/sogo

Now finally you need to add your admin user you also specified above in SOGoSuperUsernames with SOGo. For every new user, you can add the user like a normal shell user with

adduser [username]

and maybe disable login shell in /etc/passwd. Then use the following script to register your new user with the MySQL DB (reenter user’s password when prompted):

Today I got a machine that was upgraded from Windows 8 to Windows 10.
The user complaine that his CDrom-Drive was not working after the
upgrade. This was eaisly solved by googling around a bit and finally
issuing:

Ok, problem solved, but there was another strange problem.
I plugged in a PS/2 mouse device and it didn’t work.. So I plugged
in a USB mouse which worked. Then Windows 10 was doing some updates
like it always does and after reboot my USB mouse was gone too.
No chance to get PS/2 or USB mouse working.
PS/2 mouse driver always showed an exclamation mark telling me
Code 10 – “Das Gerät kann nicht gestartet werden” (the device cannot
be started).
When plugging in a USB mouse, no error was shown in the device manager
at all, but still no mousecursor appeared which made it hard to diagnose.
There just was no mouse pointer on the screen at all!
When looking at the Event log of the failed device, it told be
error 0x00000184 (which translates to STATUS_INVALID_DEVICE_STATE).
Now from https://technet.microsoft.com/en-us/library/ff542127?f=255&MSPPError=-2147217396
this oerror occurs if the Mouclass service is not connected.
So it had to me a mouclass issue.
When checking registry HKLM\System\CurrentControlSet\Services\Mouclass
I realized that there was no Enum subkey which normally contains the
attached devices indicating that the mouclass driver was not started.
When trying to start the device driver manually with “net start” command,
this succeeded so my theory about it not being started seemed to be correct. But why? So I checked the places where it is usually referenced
and found out that in

(which is the Mouse device), the UpperFilters REG_MULTI_SZ value, which should contain the value

mouclass

was completely missing for some unknown reason! So I created this value,
rebooted and TADAAA, there was the mouse cursor again and mouse was working.
It would be really interesting what ruined this entry and what was causing me all these troubles, but finally it’s solved at least.

This week I had to take a look at a machine with Windows 10 that randomly locked up during working with a certain application. The computer didn’t freeze, but the foreground application didn’t react. You could click around the desktop, but there also was no more reaction to user input by the operation system so that the onl choice was to press reset.

The system was equipped with a 120GB SSD drive as boot drive and after presseing RESET, the drive wasn’t detected anymore, so the BIOS showed “No boot device found”.
When powercycling the machine, the system was back to normal.

This rose suspicion that the SSD drive may be faulty, which got confirmed by doing a full drive scan with HDTune. It locked up during run and showed a bad sector of the drive. So unfortunately, it seems that the drive locked up when accessing a bad block on the media and never recovered from this fault and didn’t react to ATA Reset-commands.
So the drive had to be replaced, but as it was the system drive and a reinstall of the whole operating system would have been a tedious task (due to the lack of some applications’ installers, etc., blabla..), I tried recovering the disk to a new (bigger) SSD drive.

First try was using some Windows imaging applications like the free Macrium Reflect, but of course they failed due to the fact that the disk locked up during cloning when hitting a bad block.
So ddrescue to the rescue! This application also naturally aborts when the drive locks up, but it has a big advantage: It has the option to write a human-readable logfile to resume operations! So starting the first round was easy, just image until bad block (using -n, as scraping doesn’t work anyway if touching a bad block locks up the device. So scraping has to be done manually here):

ddrescue -n /dev/sdb sdb.dd sdb.log

Now first part of disk was written to image and on bad block, drive locked up, leaving behind a logfile that said: Good until block X, then everything bad. Now shutdown and restart machine to get SSD back working.
As ddrescue logfile format is human readable, it’s also easy to edit. The manual fortunately tells us about the logfile format:

The first non-comment line is the status line. It contains a non-negative integer and a status character. The integer is the position being tried in the input file. (The beginning of the block being tried in a forward pass or the end of the block in a backward pass).

The status character is one of these:

‘?’ copying non-tried blocks
…

Every line in the list of data blocks describes a block of data. It contains 2 non-negative integers and a status character. The first integer is the starting position of the block in the input file, the second integer is the size (in bytes) of the block. The status character is one of these:

On second run, we don’t have to do much but copy the logfile to a new file (i.e. sdb2.log) and delete all the lines in the block list that don’t contain a “+” and setting status to “?” and then run in reverse direction with this new file to image from the other end of the disk until we hit a block again that is faulty:

ddrescue -R -n /dev/sdb sdb.dd sdb2.log

Now the device falls off again and we have the sdb2.log which now contains good blocks from the beginning, then a list of failed blocks and good blocks until the end. Now there can be a huge gap in between and we have to rescue data from good blocks in there too. So shutdown, powercycle, reboot again, copy sdb2.log to sdb3.log, then modify the lines that contain ‘/’ and ‘-‘ and are beyond the first faulty block to ‘?’, modify the status header from ‘+’ to ‘?’ again and try again in forward direction like in the first sample.. If it locks up, retry the step again (after power off and on) but leaving the faulty block you tried with ‘-‘ or ‘/’ and instead just mark the next blocks until you hit one that doesn’t lockup the machine. This way you can manually do the scraping in order to finally rescue as much data as possible from the drive to the image file.

Afterwards it can be written to the new drive (dd if=sdb.dd of=/dev/sdc bs=4096), as the newer drive is bigger, partitions can be moved and resized with gparted, but I had to ensure to use a very recent version of ntfs-3g for ntfsresize to work with new Windows 10 NTFS format, with older versions this step fails in gparted and I had to do it manually with recent version. Finally, the old drive was rescued and system was properly moved to the new drive.